Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe
-
Size
453KB
-
MD5
25270dba82b4387dce3ee39afb168b5e
-
SHA1
53e312f75105cbb6c9f9a24e25916a48648f3f55
-
SHA256
9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028
-
SHA512
01955c33abdd340645e44caf784420c6042b5d2df06dca6214c781adcfc0278f0ecc832856b42b1f6d60b2462940c3f2813403b6d9b30436ee713f3497af6afc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3504-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-878-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-1187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-1958-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3616 dppjj.exe 776 644822.exe 4852 pjvdv.exe 4756 26648.exe 2116 fxfxxxr.exe 2172 86888.exe 4340 tthbhh.exe 4264 48620.exe 4952 804262.exe 4288 00426.exe 1952 2660820.exe 1832 40284.exe 4988 8642262.exe 1932 frfxlfr.exe 4436 e68640.exe 2652 860820.exe 2228 3xrfrlf.exe 2532 6226004.exe 4008 5nbnbb.exe 4636 46486.exe 3244 2008820.exe 1108 804088.exe 4800 nhbhbn.exe 4672 3xxlxrx.exe 1828 s8808.exe 224 4844826.exe 3868 4620088.exe 3048 864626.exe 1048 w80246.exe 4480 08208.exe 4112 jvddv.exe 3088 424680.exe 4880 djdpj.exe 2004 466426.exe 452 0666648.exe 4548 ffffrlf.exe 2336 tbhttn.exe 4652 xrrllrf.exe 2648 vppdp.exe 5112 pdjvd.exe 1600 nbbnhb.exe 3304 lrrflfl.exe 4260 2206486.exe 2548 4042222.exe 4812 hththb.exe 1968 dppdv.exe 3748 844204.exe 1160 dpjvp.exe 4468 vjpdd.exe 2720 i820860.exe 2620 62428.exe 4856 8682688.exe 4848 6264264.exe 4936 vjvpj.exe 4324 lxfllff.exe 672 vpvpd.exe 3068 04086.exe 1168 e48648.exe 3100 824280.exe 1072 jjjvj.exe 4948 64820.exe 4264 088604.exe 2252 bnnbnh.exe 464 9thtnb.exe -
resource yara_rule behavioral2/memory/3504-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-586-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0024062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2682888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3504 wrote to memory of 3616 3504 9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe 83 PID 3504 wrote to memory of 3616 3504 9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe 83 PID 3504 wrote to memory of 3616 3504 9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe 83 PID 3616 wrote to memory of 776 3616 dppjj.exe 84 PID 3616 wrote to memory of 776 3616 dppjj.exe 84 PID 3616 wrote to memory of 776 3616 dppjj.exe 84 PID 776 wrote to memory of 4852 776 644822.exe 85 PID 776 wrote to memory of 4852 776 644822.exe 85 PID 776 wrote to memory of 4852 776 644822.exe 85 PID 4852 wrote to memory of 4756 4852 pjvdv.exe 86 PID 4852 wrote to memory of 4756 4852 pjvdv.exe 86 PID 4852 wrote to memory of 4756 4852 pjvdv.exe 86 PID 4756 wrote to memory of 2116 4756 26648.exe 87 PID 4756 wrote to memory of 2116 4756 26648.exe 87 PID 4756 wrote to memory of 2116 4756 26648.exe 87 PID 2116 wrote to memory of 2172 2116 fxfxxxr.exe 88 PID 2116 wrote to memory of 2172 2116 fxfxxxr.exe 88 PID 2116 wrote to memory of 2172 2116 fxfxxxr.exe 88 PID 2172 wrote to memory of 4340 2172 86888.exe 89 PID 2172 wrote to memory of 4340 2172 86888.exe 89 PID 2172 wrote to memory of 4340 2172 86888.exe 89 PID 4340 wrote to memory of 4264 4340 tthbhh.exe 90 PID 4340 wrote to memory of 4264 4340 tthbhh.exe 90 PID 4340 wrote to memory of 4264 4340 tthbhh.exe 90 PID 4264 wrote to memory of 4952 4264 48620.exe 91 PID 4264 wrote to memory of 4952 4264 48620.exe 91 PID 4264 wrote to memory of 4952 4264 48620.exe 91 PID 4952 wrote to memory of 4288 4952 804262.exe 92 PID 4952 wrote to memory of 4288 4952 804262.exe 92 PID 4952 wrote to memory of 4288 4952 804262.exe 92 PID 4288 wrote to memory of 1952 4288 00426.exe 93 PID 4288 wrote to memory of 1952 4288 00426.exe 93 PID 4288 wrote to memory of 1952 4288 00426.exe 93 PID 1952 wrote to memory of 1832 1952 2660820.exe 94 PID 1952 wrote to memory of 1832 1952 2660820.exe 94 PID 1952 wrote to memory of 1832 1952 2660820.exe 94 PID 1832 wrote to memory of 4988 1832 40284.exe 95 PID 1832 wrote to memory of 4988 1832 40284.exe 95 PID 1832 wrote to memory of 4988 1832 40284.exe 95 PID 4988 wrote to memory of 1932 4988 8642262.exe 96 PID 4988 wrote to memory of 1932 4988 8642262.exe 96 PID 4988 wrote to memory of 1932 4988 8642262.exe 96 PID 1932 wrote to memory of 4436 1932 frfxlfr.exe 97 PID 1932 wrote to memory of 4436 1932 frfxlfr.exe 97 PID 1932 wrote to memory of 4436 1932 frfxlfr.exe 97 PID 4436 wrote to memory of 2652 4436 e68640.exe 98 PID 4436 wrote to memory of 2652 4436 e68640.exe 98 PID 4436 wrote to memory of 2652 4436 e68640.exe 98 PID 2652 wrote to memory of 2228 2652 860820.exe 99 PID 2652 wrote to memory of 2228 2652 860820.exe 99 PID 2652 wrote to memory of 2228 2652 860820.exe 99 PID 2228 wrote to memory of 2532 2228 3xrfrlf.exe 100 PID 2228 wrote to memory of 2532 2228 3xrfrlf.exe 100 PID 2228 wrote to memory of 2532 2228 3xrfrlf.exe 100 PID 2532 wrote to memory of 4008 2532 6226004.exe 101 PID 2532 wrote to memory of 4008 2532 6226004.exe 101 PID 2532 wrote to memory of 4008 2532 6226004.exe 101 PID 4008 wrote to memory of 4636 4008 5nbnbb.exe 102 PID 4008 wrote to memory of 4636 4008 5nbnbb.exe 102 PID 4008 wrote to memory of 4636 4008 5nbnbb.exe 102 PID 4636 wrote to memory of 3244 4636 46486.exe 103 PID 4636 wrote to memory of 3244 4636 46486.exe 103 PID 4636 wrote to memory of 3244 4636 46486.exe 103 PID 3244 wrote to memory of 1108 3244 2008820.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe"C:\Users\Admin\AppData\Local\Temp\9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\dppjj.exec:\dppjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\644822.exec:\644822.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\pjvdv.exec:\pjvdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\26648.exec:\26648.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\fxfxxxr.exec:\fxfxxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\86888.exec:\86888.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\tthbhh.exec:\tthbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\48620.exec:\48620.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\804262.exec:\804262.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\00426.exec:\00426.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\2660820.exec:\2660820.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\40284.exec:\40284.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\8642262.exec:\8642262.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\frfxlfr.exec:\frfxlfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\e68640.exec:\e68640.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\860820.exec:\860820.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\3xrfrlf.exec:\3xrfrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\6226004.exec:\6226004.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\5nbnbb.exec:\5nbnbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\46486.exec:\46486.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\2008820.exec:\2008820.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\804088.exec:\804088.exe23⤵
- Executes dropped EXE
PID:1108 -
\??\c:\nhbhbn.exec:\nhbhbn.exe24⤵
- Executes dropped EXE
PID:4800 -
\??\c:\3xxlxrx.exec:\3xxlxrx.exe25⤵
- Executes dropped EXE
PID:4672 -
\??\c:\s8808.exec:\s8808.exe26⤵
- Executes dropped EXE
PID:1828 -
\??\c:\4844826.exec:\4844826.exe27⤵
- Executes dropped EXE
PID:224 -
\??\c:\4620088.exec:\4620088.exe28⤵
- Executes dropped EXE
PID:3868 -
\??\c:\864626.exec:\864626.exe29⤵
- Executes dropped EXE
PID:3048 -
\??\c:\w80246.exec:\w80246.exe30⤵
- Executes dropped EXE
PID:1048 -
\??\c:\08208.exec:\08208.exe31⤵
- Executes dropped EXE
PID:4480 -
\??\c:\jvddv.exec:\jvddv.exe32⤵
- Executes dropped EXE
PID:4112 -
\??\c:\424680.exec:\424680.exe33⤵
- Executes dropped EXE
PID:3088 -
\??\c:\djdpj.exec:\djdpj.exe34⤵
- Executes dropped EXE
PID:4880 -
\??\c:\466426.exec:\466426.exe35⤵
- Executes dropped EXE
PID:2004 -
\??\c:\0666648.exec:\0666648.exe36⤵
- Executes dropped EXE
PID:452 -
\??\c:\ffffrlf.exec:\ffffrlf.exe37⤵
- Executes dropped EXE
PID:4548 -
\??\c:\tbhttn.exec:\tbhttn.exe38⤵
- Executes dropped EXE
PID:2336 -
\??\c:\xrrllrf.exec:\xrrllrf.exe39⤵
- Executes dropped EXE
PID:4652 -
\??\c:\vppdp.exec:\vppdp.exe40⤵
- Executes dropped EXE
PID:2648 -
\??\c:\pdjvd.exec:\pdjvd.exe41⤵
- Executes dropped EXE
PID:5112 -
\??\c:\nbbnhb.exec:\nbbnhb.exe42⤵
- Executes dropped EXE
PID:1600 -
\??\c:\lrrflfl.exec:\lrrflfl.exe43⤵
- Executes dropped EXE
PID:3304 -
\??\c:\2206486.exec:\2206486.exe44⤵
- Executes dropped EXE
PID:4260 -
\??\c:\4042222.exec:\4042222.exe45⤵
- Executes dropped EXE
PID:2548 -
\??\c:\hththb.exec:\hththb.exe46⤵
- Executes dropped EXE
PID:4812 -
\??\c:\dppdv.exec:\dppdv.exe47⤵
- Executes dropped EXE
PID:1968 -
\??\c:\844204.exec:\844204.exe48⤵
- Executes dropped EXE
PID:3748 -
\??\c:\dpjvp.exec:\dpjvp.exe49⤵
- Executes dropped EXE
PID:1160 -
\??\c:\vjpdd.exec:\vjpdd.exe50⤵
- Executes dropped EXE
PID:4468 -
\??\c:\i820860.exec:\i820860.exe51⤵
- Executes dropped EXE
PID:2720 -
\??\c:\62428.exec:\62428.exe52⤵
- Executes dropped EXE
PID:2620 -
\??\c:\8682688.exec:\8682688.exe53⤵
- Executes dropped EXE
PID:4856 -
\??\c:\6264264.exec:\6264264.exe54⤵
- Executes dropped EXE
PID:4848 -
\??\c:\vjvpj.exec:\vjvpj.exe55⤵
- Executes dropped EXE
PID:4936 -
\??\c:\lxfllff.exec:\lxfllff.exe56⤵
- Executes dropped EXE
PID:4324 -
\??\c:\vpvpd.exec:\vpvpd.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:672 -
\??\c:\04086.exec:\04086.exe58⤵
- Executes dropped EXE
PID:3068 -
\??\c:\e48648.exec:\e48648.exe59⤵
- Executes dropped EXE
PID:1168 -
\??\c:\824280.exec:\824280.exe60⤵
- Executes dropped EXE
PID:3100 -
\??\c:\jjjvj.exec:\jjjvj.exe61⤵
- Executes dropped EXE
PID:1072 -
\??\c:\64820.exec:\64820.exe62⤵
- Executes dropped EXE
PID:4948 -
\??\c:\088604.exec:\088604.exe63⤵
- Executes dropped EXE
PID:4264 -
\??\c:\bnnbnh.exec:\bnnbnh.exe64⤵
- Executes dropped EXE
PID:2252 -
\??\c:\9thtnb.exec:\9thtnb.exe65⤵
- Executes dropped EXE
PID:464 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe66⤵PID:4832
-
\??\c:\tnhbtn.exec:\tnhbtn.exe67⤵PID:2220
-
\??\c:\hbhtht.exec:\hbhtht.exe68⤵PID:4668
-
\??\c:\2426006.exec:\2426006.exe69⤵PID:3308
-
\??\c:\9xxlxrf.exec:\9xxlxrf.exe70⤵PID:3084
-
\??\c:\26080.exec:\26080.exe71⤵PID:4504
-
\??\c:\xlrrxxx.exec:\xlrrxxx.exe72⤵PID:4728
-
\??\c:\lffxrll.exec:\lffxrll.exe73⤵PID:2168
-
\??\c:\rfllfff.exec:\rfllfff.exe74⤵PID:4268
-
\??\c:\2224886.exec:\2224886.exe75⤵PID:2528
-
\??\c:\646260.exec:\646260.exe76⤵PID:820
-
\??\c:\86042.exec:\86042.exe77⤵PID:4604
-
\??\c:\4282004.exec:\4282004.exe78⤵PID:4648
-
\??\c:\rrrfrfr.exec:\rrrfrfr.exe79⤵PID:3176
-
\??\c:\8446842.exec:\8446842.exe80⤵PID:5104
-
\??\c:\fxlxxxr.exec:\fxlxxxr.exe81⤵PID:1844
-
\??\c:\3frlfxl.exec:\3frlfxl.exe82⤵PID:3448
-
\??\c:\bbhnhn.exec:\bbhnhn.exe83⤵PID:4800
-
\??\c:\2682888.exec:\2682888.exe84⤵
- System Location Discovery: System Language Discovery
PID:4300 -
\??\c:\hbhthh.exec:\hbhthh.exe85⤵PID:32
-
\??\c:\pjppd.exec:\pjppd.exe86⤵PID:3200
-
\??\c:\g0048.exec:\g0048.exe87⤵PID:1956
-
\??\c:\8686206.exec:\8686206.exe88⤵PID:3160
-
\??\c:\606204.exec:\606204.exe89⤵PID:2916
-
\??\c:\u640666.exec:\u640666.exe90⤵PID:884
-
\??\c:\824400.exec:\824400.exe91⤵PID:4944
-
\??\c:\7djpp.exec:\7djpp.exe92⤵PID:408
-
\??\c:\2626446.exec:\2626446.exe93⤵PID:5004
-
\??\c:\1ththb.exec:\1ththb.exe94⤵PID:4972
-
\??\c:\262266.exec:\262266.exe95⤵PID:1196
-
\??\c:\024020.exec:\024020.exe96⤵PID:3624
-
\??\c:\44464.exec:\44464.exe97⤵PID:3592
-
\??\c:\6860028.exec:\6860028.exe98⤵PID:4072
-
\??\c:\nttbbn.exec:\nttbbn.exe99⤵PID:3712
-
\??\c:\28042.exec:\28042.exe100⤵PID:1096
-
\??\c:\42268.exec:\42268.exe101⤵PID:1816
-
\??\c:\08220.exec:\08220.exe102⤵PID:432
-
\??\c:\04048.exec:\04048.exe103⤵PID:4772
-
\??\c:\frxlfrl.exec:\frxlfrl.exe104⤵PID:1416
-
\??\c:\8200628.exec:\8200628.exe105⤵PID:1052
-
\??\c:\488264.exec:\488264.exe106⤵PID:2536
-
\??\c:\9ddvp.exec:\9ddvp.exe107⤵PID:3056
-
\??\c:\jddvp.exec:\jddvp.exe108⤵PID:3204
-
\??\c:\bbttbb.exec:\bbttbb.exe109⤵PID:3700
-
\??\c:\2648446.exec:\2648446.exe110⤵PID:1320
-
\??\c:\22420.exec:\22420.exe111⤵PID:1560
-
\??\c:\dpvpd.exec:\dpvpd.exe112⤵PID:4444
-
\??\c:\frlfrlf.exec:\frlfrlf.exe113⤵PID:4524
-
\??\c:\xflxrlf.exec:\xflxrlf.exe114⤵PID:3504
-
\??\c:\02464.exec:\02464.exe115⤵PID:4148
-
\??\c:\86260.exec:\86260.exe116⤵
- System Location Discovery: System Language Discovery
PID:1556 -
\??\c:\040424.exec:\040424.exe117⤵PID:4856
-
\??\c:\7xxxrrl.exec:\7xxxrrl.exe118⤵PID:4888
-
\??\c:\ntnhbb.exec:\ntnhbb.exe119⤵PID:2672
-
\??\c:\jvddj.exec:\jvddj.exe120⤵PID:552
-
\??\c:\q40488.exec:\q40488.exe121⤵PID:3192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-